1. Field of the Invention
The present invention relates to a method and an apparatus for providing terminal access security for a telecommunications network. More particularly, the present invention relates to a method and an apparatus for providing terminal access security for a wireless telecommunication network based on the access status of a wireless terminal.
2. Description of the Related Art
Validating a subscriber terminal connection to a telecommunication network is important for detecting fraudulent and/or faulty access to the network. FIG. 1 shows a flow diagram for a prior art system process 10 for validating access for a subscriber terminal to a wireless network. FIG. 2 shows a schematic block diagram of a prior art system 30 that uses process 10 for validating a subscriber terminal for access to a wireless telecommunications network, for example, a GSM network. System 30 includes a subscriber terminal 31, a remote transceiver station 32, a local office 33 and a central office 34. Subscriber terminal 31 can be, for example, a mobile station (MS), remote transceiver station 32 can be, for example, a base transceiver station (BTS), and local office 33 can be, for example, a mobile switching center (MSC).
Subscriber terminal 31 communicates with remote transceiver station 32 in a well-known manner. Remote transceiver station 32 communicates with local office 33 in a well-known manner. While the network of FIG. 2 is shown with only one subscriber terminal, one remote transceiver station and one local office, it should be understood that the network of FIG. 2 includes other subscriber terminals, remote transceiver stations, local offices and system components that are not shown.
Local office 33 includes a controller 35 for controlling voice and network signaling in a well-known manner. A memory device 36 is coupled to controller 35. Memory device 36 can be embodied as hardware that is separate from controller 35 or integrated as part of controller 35. Memory device 36 includes a memory space partition HLR/VLR 37 for storing subscriber data, such as a Home Location Register (HLR) and a Visitor Location Register (VLR). Memory device 36 provides software processing that is separate for HLR/VLR 37 and is different from the processing provided by controller 35. HLR/VLR 37 is a database server that has a record for all subscriber terminals accessing the network through local office 33. HLR/VLR 37 may be integrated into the same memory device 36. Alternatively, HLR and VLR may be remotely located. When remotely located, the HLR and VLR communicate in a well-known manner. FIG. 2 shows that the memory space partition for HLR/VLR 37 associates an International Mobile Subscriber Identity (IMSI) for a subscriber terminal with corresponding subscriber profile information. The IMSI is used as a key to the HLR/VLR database.
Local office 33 is connected to and communicates with central office 34 in a well-known manner. Central office 34 includes an Equipment Identity Register (EIR) 38. The EIR is a database server having a record for all subscriber terminals having access to the wireless network.
At step 11 of FIG. 1, a subscriber accesses the wireless network by, for example, turning on subscriber terminal 31, originating a call or requesting other network-based services. At step 12, the system authenticates the subscriber using well-known techniques. If the subscriber is not authenticated at step 13, the system takes an appropriate action at step 14, such as prohibiting the subscriber from further access to the network.
If the subscriber is authenticated at step 13, the system validates terminal 31 at step 15 by verifying that terminal 31 is a type of terminal approved for the network, that is, equipment approved by an appropriate industry or regulatory agency for accessing the network, or whether the equipment is malfunctioning or stolen. To validate terminal 31, the local office 33 sends a query to central office 34 for obtaining the access status of the terminal. This request is done by the local office 33 sending an IMEI.sub.-- CHECK message to EIR 38 at central office 34. Each respective subscriber terminal has an associated access status stored in EIR 38 that can be, for example, white, grey, black or unknown. Additional access status levels and other nomenclature can be used for indicating access status of a terminal. The IMEI.sub.-- CHECK message includes the International Mobile Equipment Identity (IMEI) of subscriber terminal 31 which is used as a key to the database of EIR 38. Central office 34 responds to local office 33 by sending the access status of terminal 31 stored in EIR 38 to the local office in an IMEI.sub.-- CHECK return result message.
At step 16 of the process, if the access status of terminal 31 is white, terminal 31 is considered to be good and the access to the network requested by the terminal is provided at step 17. A grey access status means that subscriber terminal 31 is considered to be suspect, that is, faulty or stolen. A grey access status at step 18 causes all activity of subscriber terminal 31 to be logged. This logged data may be used by third parties such as for law enforcement purposes at step 19, and the requested network access to be provided at step 20. A subscriber terminal having a black access status at step 21 is considered to be bad because it is, for example, a terminal type that is not approved for access to the network, not functionally compatible with the services provided by the network being accessed, or stolen. All access to the wireless network using a subscriber terminal having a black access status is disallowed at step 22. A terminal having an unknown access status is handled at step 23 using well-known error handling techniques.
The prior art approach to validating terminals for network access is inefficient because network resources are used each time a terminal requests access to the network. While detection of fraudulent and faulty access to the network are insured with the prior art approach, the amount of system signaling associated with this approach is expensive in terms of capacity requirements at the local office, the EIR and the signaling transmission facilities between the two.
Another prior art approach for validating terminals is to perform the validation process periodically such as validating the terminal when the terminal has requested access every predetermined number of times. While this approach reduces the amount of signalling in the system, the opportunity for fraud increases.